TTechclick ⚡ XP 0% All lessons
Proofpoint · Email Security · Fraud DefenceInteractive · L1 / L2 / L3

Proofpoint Email Fraud Defence — DMARC, BEC & Impersonation

Business Email Compromise costs organisations billions every year, and most attacks never touch malware — they exploit trust. This lesson maps how Proofpoint Email Fraud Defense uses DMARC, SPF and DKIM to authenticate legitimate senders, and how its supplier-risk scoring, lookalike-domain detection and display-name analysis catch the impersonation attacks that basic spam filters miss entirely.

📅 2026-06-20 · ⏱ 18 min · 4 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A practical 2026 guide to Proofpoint Email Fraud Defense: how DMARC, SPF, and DKIM stop BEC, display-name spoofing, and lookalike domain attacks — with the full authentication path mapped.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why email fraud works

Trust, not malware — how BEC bypasses filters.

 2

SPF, DKIM & DMARC

What each standard authenticates and how they align.

 3

Fraud Defence layers

Display-name, lookalike domains, supplier risk.

 4

Deploy & operationalise

Policy ramp, DMARC reports, incident response.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does DMARC prevent a lookalike-domain attack (e.g. paypa1.com spoofing paypal.com)?

Answered in Fraud Defence layers.

2. What does SPF actually verify?

Answered in SPF, DKIM & DMARC.

3. What is the safest first DMARC policy to deploy?

Answered in Deploy & operationalise.

Most engineers think…

Most people believe that if a company has a spam filter, Business Email Compromise is solved. That mental model is why BEC remains the highest-dollar cybercrime category year after year.

BEC attacks do not use malware — they hijack trust. A well-crafted CEO-fraud email can pass SPF and DKIM, score zero on a reputation engine, and still steal millions. Proofpoint Email Fraud Defense layers email authentication (SPF, DKIM, DMARC) with AI-based behavioural analysis — display-name matching, lookalike-domain detection and supplier-risk scoring — because authentication alone only covers your own domain. Understanding where each layer starts and stops is what separates a guesswork email-security posture from one you can actually defend in an audit or an interview.

① Why email fraud works — trust, not malware

BEC (Business Email Compromise) is a social-engineering attack delivered over email, not a malware attack. The goal is to convince someone — a finance team member, an IT admin, a new employee — to wire funds, change payment details, or hand over credentials. Because there is no payload, traditional antivirus and many spam filters give these messages a clean bill of health.

There are four main attack patterns you must be able to name. CEO fraud (or executive impersonation) spoofs or compromises a senior leader's identity and orders an urgent action. Supplier invoice fraud impersonates a known vendor and asks for a payment-detail update. Display-name spoofing sets the visible From name to 'John Smith — CEO' while using an attacker-owned domain in the actual address. Lookalike domains register a convincing near-copy of a real domain (e.g. techc1ick.in) and use it to send fraud.

The critical insight: display-name spoofing and lookalike-domain attacks often pass SPF and DKIM on their own domain — they just happen to not be the domain you trust. Authentication is necessary but not sufficient.

Figure 1 — Four BEC attack patterns
Each BEC variant exploits a different trust layer. Authentication stops the bottom two; EFD is needed for the top two.Four BEC attack patternsLookalike domaintechc1ick.in — passes its own DMARC, fools the eyeDisplay-name spoofName = CFO, address = attacker GmailSupplier compromiseLegitimate supplier account hijackedDomain spoofExact-match From: header forgery — blocked by DMARC
Each BEC variant exploits a different trust layer. Authentication stops the bottom two; EFD is needed for the top two.
Quick check · Q1 of 10 · Understand

Why do display-name spoofing attacks often bypass traditional spam filters?

Correct: b. Display-name spoof messages come from a real (attacker-owned) domain that passes its own SPF and DKIM checks. With no malware, reputation engines score them clean. The social engineering is in the visible name, not the domain.
👉 So far: BEC exploits trust, not malware — four patterns: CEO fraud, supplier spoofing, display-name spoofing and lookalike domains. Authentication stops exact-match spoofing; EFD is needed for the rest.

② SPF, DKIM & DMARC — what each standard actually checks

SPF (Sender Policy Framework) is a DNS TXT record that lists the IP addresses and mail servers authorised to send email for your domain. When a receiving server gets a message, it checks the envelope sender (the MAIL FROM address, invisible to the user) against your SPF record. A pass means the sending IP is on your list; a fail means it is not. SPF alone does not protect the visible From: header.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to the message headers. The sending server signs the message with a private key; the receiving server looks up the public key in DNS and verifies the signature. A valid DKIM signature means the message body and key headers were not altered in transit and were signed by the claimed domain's key. DKIM survives forwarding; SPF often does not.

DMARC ties them together

DMARC (Domain-based Message Authentication, Reporting and Conformance) does two things: it requires alignment (the domain in the visible From: header must match the domain that passed SPF or DKIM) and it tells receivers what to do with failures — p=none (log only), p=quarantine (send to spam) or p=reject (discard). DMARC also generates aggregate (rua) and forensic (ruf) reports so you can see exactly who is sending on your behalf before you enforce.

Figure 2 — SPF → DKIM → DMARC alignment check
Every inbound message passes through three checks before DMARC issues a verdict and applies the domain owner's policy.SPF → DKIM → DMARC alignment checkSPF checkIP vs DNS recordDKIM verifysignature + public keyAlignmentFrom: vs pass domainDMARC verdictnone/quarantine/rejectrua reportaggregate sent toowner
Every inbound message passes through three checks before DMARC issues a verdict and applies the domain owner's policy.
📧
SPF
tap to flip

A DNS TXT record listing authorised sending IPs for a domain. Checks the envelope MAIL FROM, not the visible From: header. Fails on forwarded mail.

🔏
DKIM
tap to flip

Cryptographic signature on message headers and body using a private key. Receiving server verifies with public key in DNS. Survives forwarding; proves message integrity.

🛡️
DMARC
tap to flip

Adds alignment (From: domain must match SPF or DKIM pass domain) and enforces a policy: p=none (report), p=quarantine (spam), p=reject (discard). Generates rua/ruf reports.

🕵️
Email Fraud Defense
tap to flip

Proofpoint layer above authentication: display-name AI, lookalike-domain scoring, supplier-risk graph. Catches BEC that passes DMARC on an attacker-owned domain.

SPF checks the envelope; DMARC checks alignment

In an interview, always separate what each standard verifies: SPF checks the MAIL FROM (envelope) IP, DKIM checks message integrity via signature, and DMARC adds alignment so the visible From: must match. A message can pass SPF and DKIM and still be a spoofed display-name attack — that is exactly what EFD is for.

Quick check · Q2 of 10 · Remember

What does DMARC alignment require?

Correct: c. Alignment is DMARC's key addition: the From: header domain (what the user sees) must match the domain that passed the SPF check or the DKIM signature. Without alignment, an attacker could pass SPF on one domain while showing a different From: to the recipient.
👉 So far: SPF = authorised IPs for the envelope domain; DKIM = cryptographic signature on headers/body; DMARC = alignment enforcement + policy (none/quarantine/reject) + rua/ruf reports.

③ Proofpoint Email Fraud Defense layers — beyond authentication

Proofpoint Email Fraud Defense (EFD) sits on top of authentication to catch the attacks that pass SPF and DKIM. Three capabilities matter most in interviews and in production.

Display-name and header analysis: EFD compares the visible From: name and address against your executive directory and known-safe senders. If a message claims to be from 'Rajesh Mehta — CFO' but arrives from a Gmail address or an unrelated domain, EFD flags or quarantines it — even if the message passes every authentication check on the sending domain.

Lookalike-domain detection: Proofpoint maintains intelligence on domains that are visually or phonetically similar to your registered domains (e.g. substituting 'rn' for 'm', adding '-invoice', or using homoglyph characters). Incoming messages from these domains are scored and can be flagged or rejected regardless of their own SPF/DKIM status.

Supplier & third-party risk scoring: Most BEC now exploits supplier relationships — attackers either compromise a supplier's mail account or register a lookalike of the supplier's domain. EFD ingests your accounts-payable and CRM data, builds a supplier trust graph, and scores anomalies — new sending IP for a known supplier, content that requests payment changes, or a lookalike domain substituted for a known vendor.

Figure 3 — Proofpoint EFD — detection layers
All detection signals feed a central fraud-risk score that drives quarantine, flag, or reject decisions.Proofpoint EFD — detection layersEFD Risk Scorefraud verdictDMARC alignmentDisplay-name AILookalike domainsSupplier trust graphHeader anomaliesrua report data
All detection signals feed a central fraud-risk score that drives quarantine, flag, or reject decisions.
'DMARC is enough' — the common gap

DMARC at p=reject stops exact-match domain spoofing brilliantly. It does nothing to a lookalike domain (acme-inv01ces.com has its own valid DMARC record), a compromised legitimate supplier account, or a display-name spoof from a Gmail address. Always layer EFD capabilities on top of authentication, not instead of them.

▶ Watch a BEC lookalike-domain email get caught

Follow a fraudulent invoice email from a lookalike domain through SPF, DKIM, DMARC and Proofpoint EFD. Press Play for the catch, then Break it to see what happens without EFD.

① Inbound SMTPAn email arrives claiming to be from finance@acme-inv01ces.com with display name 'Acme Finance — Invoice Due'. The MX gateway receives the SMTP connection.
② SPF + DKIMThe receiving server checks SPF for acme-inv01ces.com — the attacker's IP is listed, so SPF passes. A DKIM signature from acme-inv01ces.com is present and valid. Both checks pass.
③ DMARC alignmentDMARC checks alignment: the From: domain is acme-inv01ces.com, which matches the DKIM signing domain. DMARC passes on the attacker's own record (p=none). No DMARC block.
④ EFD fraud scoreProofpoint EFD compares acme-inv01ces.com against your supplier trust graph — it is a lookalike of acme.com (your real vendor). EFD scores it high-risk, quarantines the message, and raises a fraud alert.
Press Play to step through the full catch path. Then press Break it to see the gap without EFD.
Quick check · Q3 of 10 · Apply

A supplier you know well suddenly sends an invoice from 'acme-inv01ces.com' instead of 'acme.com'. Which Proofpoint EFD capability is most relevant?

Correct: c. The lookalike domain acme-inv01ces.com can pass its own SPF and DKIM. EFD's lookalike detection flags it as a near-match to acme.com, and the supplier trust graph flags the new domain as an anomaly against your known vendor record.
👉 So far: Proofpoint EFD layers display-name AI, lookalike-domain detection and supplier-risk scoring on top of DMARC to catch the BEC attacks that pass authentication on their own attacker-owned domain.

④ Deploying DMARC correctly — and operationalising fraud defence

The single most important deployment rule: never go straight to p=reject. Start with p=none for at least two weeks, collect aggregate (rua) reports, identify all legitimate sending sources (marketing platforms, HR systems, third-party SaaS), and publish SPF and DKIM records for each. Only then move to p=quarantine, watch spam-folder rates for a week, fix any remaining misalignment, and finally promote to p=reject.

Proofpoint EFD adds a DMARC management layer on top of raw DMARC — it parses rua report feeds, maps sending sources to business owners, and provides a dashboard that shows authentication coverage per domain, per sending service. This compresses what normally takes months into a guided workflow.

Incident response with EFD

When a BEC attempt is caught, EFD surfaces the full message header, the sender-domain reputation, the lookalike score and any supplier-trust anomaly in a single pane. For incidents that slip through, Proofpoint supports message retraction (pulling delivered messages back from user inboxes through integration with Microsoft 365 or Google Workspace). Operationally, the right habit is: review the EFD daily digest, tune display-name rules as your executive roster changes, and re-scan your SPF records whenever you onboard a new SaaS vendor.

Figure 4 — p=none vs p=reject — ramp safely
Skipping the ramp from none to quarantine to reject is the single most common DMARC deployment mistake.p=none vs p=reject — ramp safelyp=none (monitor)No enforcement — observe onlyrua reports reveal all sendersZero delivery disruption riskStart here for at least 2 weeksp=reject (enforce)Unauthenticated mail discardedRequires all senders on SPF/DKIMMisconfigured SaaS = lost mailMove here only after quarantine
Skipping the ramp from none to quarantine to reject is the single most common DMARC deployment mistake.

Priya at a Mumbai fintech faces this

The CFO receives an email that appears to be from the company's Singapore office requesting an urgent wire transfer. The message passes the existing spam filter with a clean score.

Likely cause

The attacker registered sinqapore-office.com (replacing 'g' with 'q'), set up SPF and DKIM for that domain, and set the display name to 'CFO Singapore — Kavita Sharma'. No malware, no suspicious links.

Diagnosis

Check the raw From: header — the actual sender domain is sinqapore-office.com, not the real company domain. The DMARC record on sinqapore-office.com is p=none, so nothing blocked it.

Proofpoint EFD ▸ Fraud Alerts ▸ Lookalike Domain Detections + Display-Name Analysis
Fix

Enable Proofpoint EFD with lookalike-domain protection tuned to your registered domains. Set the executive display-name policy to quarantine any message claiming to be a C-suite sender but arriving from an unrecognised domain. Also register common typosquat variants of your own domains.

Verify

Re-test with a simulated lookalike-domain message — EFD should score it high-risk, quarantine it, and surface it in the fraud alerts dashboard with the lookalike match highlighted.

Read the rua report before you enforce

Before moving to p=quarantine or p=reject, download and parse your DMARC rua (aggregate) reports. Every legitimate mail stream that is failing authentication will be listed. Fix SPF/DKIM for each one, then enforce. Skipping this step is the single most common cause of legitimate mail loss during DMARC deployment.

Quick check · Q4 of 10 · Analyze

An organisation moves straight from p=none to p=reject. What is the most likely first consequence?

Correct: b. Skipping quarantine means any legitimate sender (marketing platform, HR system, SaaS) that is not yet on the SPF record or DKIM-signed will have its mail silently rejected. The ramp (none → quarantine → reject) exists to surface and fix these gaps before enforcement.
👉 So far: DMARC deployment ramp: p=none (collect rua reports, identify all senders) → p=quarantine (watch spam rates) → p=reject (enforce). Never skip steps — uncovered SaaS senders will lose mail.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which email authentication standard provides forensic (ruf) and aggregate (rua) reports to domain owners?

Correct: c. DMARC is the only standard of the three that generates reports. rua (aggregate) reports show pass/fail counts per sending source; ruf (forensic) reports include sample failed messages. SPF and DKIM perform checks but do not generate reports.
Q6 · Understand

A message from ceo@techclick.in arrives from an IP not listed in techclick.in's SPF record. DMARC is p=reject. What happens?

Correct: b. DMARC requires at least ONE of SPF or DKIM to pass AND align. If SPF fails but DKIM passes and the DKIM signing domain aligns with the From: domain, DMARC passes. Only if both SPF and DKIM fail alignment does DMARC reject (given p=reject).
Q7 · Apply

Your marketing team starts using a new SaaS email platform. Two weeks later the DMARC rua report shows thousands of SPF failures from the new platform's IP ranges. Best fix?

Correct: c. The rua report is telling you the new platform's IPs are not authorised in SPF. Add an include mechanism (or the IP range) to your SPF record and configure DKIM signing for the platform. This is exactly the discovery process p=none is designed for before you enforce.
Q8 · Analyze

A vendor's legitimate email account is compromised and an attacker sends a fraudulent payment-change request from the real vendor domain with valid SPF and DKIM. Which control is best placed to catch this?

Correct: a. A compromised legitimate account passes SPF, DKIM and DMARC on the real domain — all three authentication checks confirm the sender as legitimate. DMARC cannot help here. EFD's supplier risk graph flags the anomalous content pattern (payment-detail change request) against the known sending profile for that vendor, making it the correct catch layer.
Q9 · Evaluate

An interviewer asks: 'Is p=reject DMARC sufficient to stop BEC?' Best answer?

Correct: b. p=reject is essential and stops direct domain impersonation, but it only covers your own domains. A lookalike domain passes DMARC on its own record. A compromised supplier account passes DMARC legitimately. Display-name spoofing from Gmail passes DMARC on gmail.com. All three require Proofpoint EFD layered on top.
Q10 · Evaluate

What is the primary risk of enforcing DMARC at p=quarantine before reviewing rua reports?

Correct: d. Enforcing before reviewing rua reports means unknown legitimate senders — SaaS platforms, HR systems, marketing tools — that are not yet on the SPF record or DKIM-signed will be quarantined. The rua-report review period exists precisely to identify and fix these senders before enforcement begins.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is DMARC at p=reject not enough to stop Business Email Compromise? Then compare with the expert version.

Expert version: DMARC p=reject stops exact-match domain spoofing of your own domains — it enforces that the visible From: domain must align with a passing SPF or DKIM check. But BEC attacks on lookalike domains (acme-inv01ces.com) pass DMARC on their own record. Compromised legitimate supplier accounts pass DMARC on the real vendor domain. Display-name spoofing from Gmail passes DMARC on gmail.com. None of these are stopped by your DMARC policy. That is why Proofpoint Email Fraud Defense layers display-name AI, lookalike-domain detection and supplier-risk scoring on top — because authentication alone only covers domains you own.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

SPF (Sender Policy Framework)
A DNS TXT record listing authorised sending IPs and mail servers for a domain. Checks the envelope MAIL FROM, not the visible From: header. Fails on forwarded mail.
DKIM (DomainKeys Identified Mail)
Cryptographic signature added to message headers and body using a private key. Receiving servers verify with the public key published in DNS. Proves message integrity and survives forwarding.
DMARC
Domain-based Message Authentication, Reporting and Conformance. Adds alignment (From: domain must match SPF/DKIM pass domain), enforces a policy (none/quarantine/reject), and generates rua/ruf reports.
BEC (Business Email Compromise)
A social-engineering attack delivered by email, targeting people to wire money or change payment details. Uses no malware — exploits trust through impersonation.
Lookalike domain
A domain visually or phonetically similar to a legitimate domain, using character swaps, added words or homoglyphs, designed to fool recipients into trusting fraudulent email.
Display-name spoofing
Setting the visible From: name to an executive or trusted contact while using an attacker-owned domain in the actual email address. Passes authentication on the sending domain.
DMARC alignment
The DMARC requirement that the domain in the visible From: header matches the domain that passed the SPF or DKIM check, closing the gap between envelope and displayed sender.
Email Fraud Defense (EFD)
Proofpoint product that layers AI-based display-name analysis, lookalike-domain detection and supplier-risk scoring on top of email authentication to catch BEC attacks that pass DMARC.
rua / ruf reports
DMARC aggregate (rua) reports list pass/fail counts per sending source, sent daily. Forensic (ruf) reports include sample failed messages. Both are essential for safe DMARC enforcement ramp-up.
Supplier trust graph
Proofpoint EFD's model of your known vendor and partner domains and sending patterns, used to score inbound messages and flag anomalies like new IPs or payment-change requests.

📚 Sources

  1. Proofpoint — Email Fraud Defense product page. proofpoint.com/us/products/email-fraud-defense
  2. Proofpoint — Understanding BEC: Business Email Compromise threat landscape. proofpoint.com/us/threat-reference/business-email-compromise
  3. IETF RFC 7208 — Sender Policy Framework (SPF) for Authorizing Use of Domains in Email. tools.ietf.org/html/rfc7208
  4. IETF RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures. tools.ietf.org/html/rfc6376
  5. IETF RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC). tools.ietf.org/html/rfc7489
  6. Proofpoint Help — Configuring DMARC in Proofpoint Email Security and Fraud Defense. help.proofpoint.com

What's next?

Got the fraud-defence layer? Next, explore how Proofpoint Targeted Attack Protection (TAP) handles URL rewriting, sandboxing and Very Attacked Person (VAP) scoring to stop the malware and credential-phishing attacks that slip past perimeter filters.

Next · All interview lessons → Practice on exam.techclick.in →